[X2Go-Dev] CVE-2013-7261: (fwd:) root exploit in X2Go Server

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Sat Jan 4 17:56:17 CET 2014


Hi all,

I have been noticed about a root exploit in X2Go Server code. This  
vulnerability has been (hopefully) fixed in X2Go Server 4.0.1.10 (and  
in the LTS release branch 4.0.0.8).

This issue has now been a CVE ID to. Please see below.

All distributors of X2Go Server, please provide package upgrades to  
your distribution.

Thanks+Greets,
Mike

----- Weitergeleitete Nachricht von cve-assign at mitre.org -----
   Datum: Sat, 4 Jan 2014 11:23:29 -0500 (EST)
     Von: cve-assign at mitre.org
Betreff: Re: root exploit in X2Go Server
      An: mike.gabriel at das-netzwerkteam.de
      Cc: cve-assign at mitre.org

> this is to request or a CVE-ID. We have been reported and we have
> fixed a root exploit in X2Go Server.
>
> In versions of X2Go Server previous to 4.0.0.8 (LTS release branch)
> and previous to 4.0.1.10 (main release branch) a normal user could
> gain root access to X2Go Server machines.
>
> The vulnerability has been fixed by these commits
>
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e57286ffeb8e8859177f8de64a33
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a64dd5db5684acbd47a4127ab3

Use CVE-2013-7261 for this issue involving root access through the use
of shell metacharacters.

- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

----- Ende der weitergeleiteten Nachricht -----

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20140104/5c004cbb/attachment.pgp>


More information about the x2go-dev mailing list